summaryrefslogtreecommitdiffstats
path: root/libiptc
Commit message (Collapse)AuthorAgeFilesLines
* Makefile: Fix for 'make distcheck'Phil Sutter2022-12-141-0/+2
| | | | | | | | | Since extensions/ directory does not use automake, some targets have to be added manually. Apart from that, several Makefiles either missed to specify relevant files or did not specify them correctly for 'make dist' to add them to the tarball. Signed-off-by: Phil Sutter <phil@nwl.cc>
* Drop libiptc/linux_stddef.hPhil Sutter2022-12-141-39/+0
| | | | | | | This header was never included anywhere. Fixes: aae69bed01982 ("complete libiptc rewrite. Time to load 10k rules goes down from 2.20 minutes to 1.255 seconds (!). Might still contain bugs, use with caution.") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libiptc: Eliminate garbage accessPhil Sutter2022-12-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | When adding a rule, valgrind prints: Syscall param socketcall.setsockopt(optval) points to uninitialised byte(s) at 0x4A8165A: setsockopt (in /lib64/libc.so.6) by 0x4857A48: iptc_commit (libiptc.c:2676) by 0x10E4BB: iptables_main (iptables-standalone.c:61) by 0x49A3349: (below main) (in /lib64/libc.so.6) Address 0x4b63788 is 40 bytes inside a block of size 1,448 alloc'd at 0x484659F: calloc (vg_replace_malloc.c:1328) by 0x4857654: iptc_commit (libiptc.c:2564) by 0x10E4BB: iptables_main (iptables-standalone.c:61) by 0x49A3349: (below main) (in /lib64/libc.so.6) This is because repl->counters is not initialized upon allocation. Since the field is an array, make use of calloc() which implicitly does the initialization. Fixes: e37c0dc100c51 ("Revert the recent addition of memset()'s to TC_COMMIT. One of them is bogus and the other one needs more investigation to why valgrind is complaining.") Signed-off-by: Phil Sutter <phil@nwl.cc>
* libiptc: Fix for segfault when renaming a chainPhil Sutter2022-10-071-0/+9
| | | | | | | | | | This is an odd bug: If the number of chains is right and one renames the last one in the list, libiptc dereferences a NULL pointer. Add fix and test case for it. Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") Reported-by: Julien Castets <castets.j@gmail.com> Signed-off-by: Phil Sutter <phil@nwl.cc>
* Makefile: Add --enable-profiling configure optionPhil Sutter2022-06-111-0/+1
| | | | | | A little convenience to prepare a build for analysis with gcov/gprof. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libiptc: Avoid gcc-10 zero-length array warningPhil Sutter2020-10-121-1/+1
| | | | | | | | | | | | | | | | Gcc-10 doesn't like the use of zero-length arrays as last struct member to denote variable sized objects. The suggested alternative, namely to use a flexible array member as defined by C99, is problematic as that doesn't allow for said struct to be embedded into others. With the relevant structs being part of kernel UAPI, this can't be precluded though. The call to memcpy() which triggers the warning copies data from one struct xt_counters to another. Since this struct is flat and merely contains two u64 fields, One can use direct assignment instead which avoids the warning. Signed-off-by: Phil Sutter <phil@nwl.cc>
* libiptc: do not typedef socklen_t on AndroidMaciej Żenczykowski2020-05-112-2/+2
| | | | | | | | | This is present in bionic header files regardless of compiler being used (likely clang) Test: builds Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libiptc: silence two comiler warningsFlorian Westphal2019-09-161-2/+2
| | | | | | | | | | | | | | | | | avoid hyptothetical truncation by leaving space for triling zero byte. silcences: In file included from libip4tc.c:113: libiptc.c: In function ‘iptcc_alloc_chain_head’: libiptc.c:163:2: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] 163 | strncpy(c->name, name, TABLE_MAXNAMELEN); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ libiptc.c: In function ‘iptc_rename_chain’: libiptc.c:2388:2: warning: ‘strncpy’ specified bound 32 equals destination size [-Wstringop-truncation] 2388 | strncpy(c->name, newname, sizeof(IPT_CHAINLABEL)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: axe non-building debug codeFlorian Westphal2019-09-163-365/+1
| | | | | | | hasn't built with IPTC_DEBUG=1 since at least 2004, so remove it. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1275 Signed-off-by: Florian Westphal <fw@strlen.de>
* build: remove -Wl,--no-as-needed and libiptc.soJan Engelhardt2019-05-301-5/+2
| | | | | | | | | | | | | | | | | | | | Despite the presence of --no-as-needed, the libiptc.so library as produced inside the openSUSE Build Service has no links to libip4tc.so or libip6tc.so. I have not looked into why --no-as-needed is ignored in this instance, but likewise, the situation must have been like that ever since openSUSE made as-needed a distro-wide default (gcc 4.8 timeframe or so). Since I am not aware of any problem reports within SUSE/openSUSE about this whole situation, it seems safe to assume no one in the larger scope is still using a bare "-liptc" on the linker command line and that all parties have moved on to using pkg-config. Therefore, libiptc.la/so is hereby removed, as are all parts related to the -Wl,--no-as-needed flag. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: Extend struct xtc_opsPhil Sutter2018-11-132-2/+6
| | | | | | | Add a few more callbacks used by iptables-save. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: NULL-terminate errornamePhil Sutter2018-09-251-1/+2
| | | | | | | | | | In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence copying its content into 'error_name' field of struct xt_error_target which is two bytes shorter may overflow. Make sure this doesn't happen by using strncpy() and set the last byte to zero. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: Simplify alloc_handle() function signaturePhil Sutter2018-09-241-7/+7
| | | | | | | | | | | This change originated from covscan complaining about the strcpy() call with an unknown size source buffer. But in fact, the size is known (and equal to the destination size), so pass a pointer to STRUCT_GETINFO to alloc_handle() instead of it's fields separately. Hopefully this will silence covscan. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: Avoid side-effect in memset() callsPhil Sutter2018-09-131-2/+4
| | | | | | | | | | | | | These calls to memset() are passed a length argument which exceeds t->target.u.user.name's length by one byte and hence overwrite t->target.u.user.revision as well (relying upon no padding to happen between both). Avoid this obscure behaviour by passing the correct field size and explicitly overwriting 'revision' field. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
* libiptc: don't set_changed() when checking rules with module jumpsDan Williams2017-02-281-6/+8
| | | | | | | | | | | | | | | Checking a rule that includes a jump to a module-based target currently sets the "changed" flag on the handle, which then causes TC_COMMIT() to run through the whole SO_SET_REPLACE/SO_SET_ADD_COUNTERS path. This seems wrong for simply checking rules, an operation which is documented as "...does not alter the existing iptables configuration..." but yet it clearly could do so. Fix that by ensuring that rule check operations for module targets don't set the changed flag, and thus exit early from TC_COMMIT(). Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: Spelling fixesVille Skyttä2015-09-071-1/+1
| | | | | | | While at it, update comment format for the respective blocks. Signed-off-by: Ville Skyttä <ville.skytta@iki.fi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libiptc: fix fortify errors in debug codeMike Frysinger2015-08-261-3/+3
| | | | | | | | When using open(O_CREAT), you must supply the mode bits, otherwise the func will pull random garbage off the stack. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* list: fix prefetch dummyArturo Borrero2015-04-081-1/+1
| | | | | | | | | | | | | linux_list.h:381:59: warning: right-hand operand of comma expression has no effect [-Wunused-value] for (pos = list_entry((head)->next, typeof(*pos), member), \ ^ libiptc.c:552:2: note: in expansion of macro 'list_for_each_entry' list_for_each_entry(c, &h->chains, list) { ^ [ Patch copied from one similar of Patrick McHardy on libnftnl ] Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
* libip6t_NETMAP: Use xtables_ip6mask_to_cidr and get rid of libip6tc dependencyPablo Neira Ayuso2013-03-291-1/+1
| | | | | | | | | This patch changes the NETMAP target extension (IPv6 side) to use the xtables_ip6mask_to_cidr available in libxtables. As a side effect, we get rid of the libip6tc dependency. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* libiptc: fix retry path in TC_INITMiguel GAIO2012-04-191-1/+1
| | | | | | | | | | | There is an issue on TC_INIT retry path: In error case, TC_FREE is called and close sockfd. The retry does not reopen then always fail. The proposing patch reopens sockfd in retry patch. Signed-off-by: Miguel GAIO <miguel.gaio@efixo.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* src: mark newly opened fds as FD_CLOEXEC (close on exec)Maciej Żenczykowski2012-03-231-0/+8
| | | | | | | | | | | | | | | | | | By default, Unix-like systems leak file descriptors after fork/exec call. I think this seem to result in SELinux spotting a strange AVC log messages according to what I can find on the web. Fedora 18 iptables source includes this change. Maciej says: "iptables does potentially fork/exec modprobe to load modules. That can cause a selinux 'domain'/'role'/whatever-it-is-called crossing. You can do automated inspection of what gets carried across such privilege changes and any unexpected open file descriptors flag problems, patches like this cut down on the noise." Signed-off-by: Maciej enczykowski <maze@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: missing free() in function delete_entry()Franz Flasch2012-03-121-1/+3
| | | | | | | | Fixed a memory leak in the dry run path of function delete_entry(). Signed-off-by: Franz Flasch <franz.flasch@frequentis.com> Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* iptables: missing free() in function cache_add_entry()Franz Flasch2012-03-121-0/+1
| | | | | | | | Fixed a memory leak in the error path of function cache_add_entry(). Signed-off-by: Franz Flasch <franz.flasch@frequentis.com> Signed-off-by: Christian Engelmayer <christian.engelmayer@frequentis.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Revert "libiptc: Returns the position the entry was inserted"Pablo Neira Ayuso2012-03-011-3/+2
| | | | | | | | | This reverts commit d65702c5c5bbab0ef12298386fa4098c72584e6c. This is breaking my iptables scripts: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables: Incompatible with this kernel.
* libiptc: Returns the position the entry was insertedJonh Wendell2012-02-291-2/+3
| | | | Jan Engelhardt showed no objections to this patch.
* Merge branch 'stable'Jan Engelhardt2011-12-184-83/+69
|\
| * libiptc: use a family-invariant xtc_ops struct for code reductionJan Engelhardt2011-09-114-2/+16
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * src: resolve old macro names that are indirectionsJan Engelhardt2011-09-112-31/+31
| | | | | | | | | | | | | | | | | | | | | | Command used: git grep -f <(pcregrep -hior '(?<=#define\s)IP6?(T_\w+)(?=\s+X\1)' include/) and then fix all occurrences. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libiptc: combine common types: _handleJan Engelhardt2011-09-113-13/+6
| | | | | | | | | | | | | | No real API/ABI change incurred, since the definition of the structs' types is not visible anyhow. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libiptc: replace ipt_chainlabel by xt_chainlabelJan Engelhardt2011-09-112-2/+2
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libiptc: remove unused HOOK_DROPPING thingJan Engelhardt2011-09-112-15/+0
| | | | | | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
| * libiptc: resolve compile failureJan Engelhardt2011-09-111-20/+14
| | | | | | | | | | | | | | | | | | | | | | CC libip4tc.lo In file included from libip4tc.c:118:0: libiptc.c:70:8: error: redefinition of "struct xt_error_target" ../include/linux/netfilter/x_tables.h:69:8: note: originally defined here Remove libiptc's duplicate definition and substitute names. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* | libiptc: provide separate pkgconfig filesJan Engelhardt2011-12-185-6/+24
|/ | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: Coverity: DEADCODEJiri Popelka2011-06-221-3/+1
| | | | | | | | | | | | | | | | libiptc.c:407: dead_error_condition: On this path, the condition "res > 0" cannot be false. libiptc.c:396: at_least: After this line, the value of "res" is at least 1. libiptc.c:393: equality_cond: Condition "res == 0" is evaluated as false. libiptc.c:396: new_values: Noticing condition "res < 0". libiptc.c:425: new_values: Noticing condition "res < 0". libiptc.c:407: new_values: Noticing condition "res > 0". libiptc.c:435: dead_error_line: Execution cannot reach this statement "return list_pos;". Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: re-add missing CPPFLAGS for libiptcJan Engelhardt2011-06-081-0/+3
| | | | | | | | | | These got lost on commit v1.4.11-12-g5c8f5b6. Note: When /usr/include/libiptc/libiptc.h exists, this error is masked away :-/ (IMO, #include-with-quotes "foo.h" should not search system dirs...) Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: move all libiptc pieces into its directoryJan Engelhardt2011-06-073-0/+25
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* build: remove dead code partsJan Engelhardt2011-05-301-5/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | gcc-4.6 has a new warning, -Wunused-but-set-variable, which flags no-op code. CC libiptc/libip4tc.lo In file included from libiptc/libip4tc.c:118:0: libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain": libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used libiptc/libiptc.c: In function "alloc_handle": libiptc/libiptc.c:1282:9: warning: variable "len" set but not used CC libiptc/libip6tc.lo In file included from libiptc/libip6tc.c:113:0: libiptc/libiptc.c: In function "iptcc_chain_index_delete_chain": libiptc/libiptc.c:611:32: warning: variable "index_ptr2" set but not used libiptc/libiptc.c: In function "alloc_handle": libiptc/libiptc.c:1282:9: warning: variable "len" set but not used CC xtables_multi-iptables-xml.o iptables-xml.c: In function "do_rule_part": iptables-xml.c:376:8: warning: variable "thisChain" set but not used CC xtables_multi-ip6tables.o ip6tables.c: In function "print_firewall": ip6tables.c:552:10: warning: variable "flags" set but not used Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: replace old IP*T_ALIGN macrosJan Engelhardt2011-05-122-4/+4
| | | | Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* iptables: add -C to check for existing rulesStefan Tomanek2011-03-083-6/+26
| | | | | | | | | | | | | | | | | It is often useful to check whether a specific rule is already present in a chain without actually modifying the iptables config. Services like fail2ban usually employ techniques like grepping through the output of "iptables -L" which is quite error prone. This patch adds a new operation -C to the iptables command which mostly works like -D; it can detect and indicate the existence of the specified rule by modifying the exit code. The new operation TC_CHECK_ENTRY uses the same code as the -D operation, whose functions got a dry-run parameter appended. Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de> Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* src: use C99/POSIX typesJan Engelhardt2011-01-081-2/+2
| | | | | | "u_int" was a non-standardized extension predating C99 on some platforms. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libip4tc: Add static qualifier to dump_entry()Dmitry V. Levin2010-02-181-2/+2
| | | | | | | | | Change dump_entry() signature defined in libip4tc.c to match prototype declared in libiptc.c and another static dump_entry() function defined in libip6tc.c. This function is not a part of the public libiptc API. Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: fix wrong maptype of base chain counters on restoreJan Engelhardt2009-10-291-1/+1
| | | | | | | | | | | | | | | When a ruleset that does not reset any chain policies/counters, such as *filter COMMIT is sourced by iptables-restore, the previous policy and counters (i.e. the ones read from the kernel) are reused. The counter skew offsetting is wrong however, causing the read value to be readded to the kernel value. This manifests itself in practice by the counter value almost doubling everytime iptables-restore is called. Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: avoid strict-aliasing warningsJan Engelhardt2009-10-253-5/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | In file included from libiptc/libip4tc.c:117:0: libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’: libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break strict-aliasing rules libiptc/libiptc.c: In function ‘iptc_get_target’: libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break strict-aliasing rules libiptc/libip4tc.c: In function ‘dump_entry’: libiptc/libip4tc.c:157:3: warning: dereferencing type-punned pointer will break strict-aliasing rules CC libiptc/libip6tc.lo In file included from libiptc/libip6tc.c:112:0: libiptc/libiptc.c: In function ‘__iptcc_p_del_policy’: libiptc/libiptc.c:826:4: warning: dereferencing type-punned pointer will break strict-aliasing rules libiptc/libiptc.c: In function ‘ip6tc_get_target’: libiptc/libiptc.c:1650:4: warning: dereferencing type-punned pointer will break strict-aliasing rules libiptc/libip6tc.c: In function ‘dump_entry’: libiptc/libip6tc.c:188:3: warning: dereferencing type-punned pointer will break strict-aliasing rules Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: remove unused functionsJan Engelhardt2009-10-251-39/+0
| | | | | | | | | | | | | Fix the two warnings in libiptc.c: CC libiptc/libip4tc.lo libiptc/libiptc.c:1570:1: warning: ‘iptc_num_rules’ defined but not used libiptc/libiptc.c:1586:1: warning: ‘iptc_get_rule’ defined but not used CC libiptc/libip6tc.lo libiptc/libiptc.c:1570:1: warning: ‘ip6tc_num_rules’ defined but not used libiptc/libiptc.c:1586:1: warning: ‘ip6tc_get_rule’ defined but not used Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
* libiptc: give credits to my selfJesper Dangaard Brouer2009-03-231-0/+5
| | | | | | | | Add notes about my scalability work on the library libiptc. This should make in more obvious who to complain to. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: fix whitespaces and typosJesper Dangaard Brouer2009-03-231-41/+41
| | | | | | | Cleanup whitespaces while going through the code. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: fix chain rename bug in libiptcJesper Dangaard Brouer2009-03-231-1/+8
| | | | | | | | | Chain renaming (TC_RENAME_CHAIN) can result in an unsorted chain list. That breaks the requirement of the binary search done in iptcc_bsearch_chain_index(). Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: avoid compile warnings for iptc_insert_chainChristoph Paasch2009-03-231-1/+1
| | | | | | | | iptc_insert_chain is too big to get inlined and so it generates a warning while compiling. Signed-off-by: Christoph Paasch <christoph.paasch@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: guard chain index allocation for different malloc implementationsJan Engelhardt2008-11-261-1/+1
| | | | | | | | Some libc implementations such as µClibc return NULL on malloc(0). They are free to do that per C standard. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signeed-off-by: Patrick McHardy <kaber@trash.net>
* libiptc: make sockfd a per-handle thingJan Engelhardt2008-11-101-24/+14
| | | | | | | Get away from this singleton. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>